Fixed date format in revocation request

backend.go

@@ -1,3 +1,12 @@
+/*
+ *  Copyright 2024 Keyfactor
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
 package keyfactor
 
 import (
@@ -6,6 +15,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"net/http"
 	"strings"
@@ -148,9 +158,9 @@ func (b *keyfactorBackend) submitCSR(ctx context.Context, req *logical.Request,
 	if res.StatusCode != 200 {
 		b.Logger().Error("CSR Enrollment failed: server returned" + fmt.Sprint(res.StatusCode))
 		defer res.Body.Close()
-		body, _ := ioutil.ReadAll(res.Body)
+		body, _ := io.ReadAll(res.Body)
 		b.Logger().Error("Error response: " + string(body[:]))
-		return nil, "", fmt.Errorf("enrollment failed: server returned  %d\n ", res.StatusCode)
+		return nil, "", fmt.Errorf("CSR Enrollment request failed with status code %d and error: "+string(body[:]), res.StatusCode)
 	}
 
 	// Read response and return certificate and key

build.sh

@@ -1,3 +1,11 @@
+__='
+   Copyright 2024 Keyfactor
+   Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+   Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+   and limitations under the License.
+'
 #!
 /usr/local/go/bin/go build -o vault/plugins/keyfactor cmd/keyfactor/main.go
 vault secrets disable keyfactor

cert_util.go

@@ -1,3 +1,12 @@
+/*
+ *  Copyright 2024 Keyfactor
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
 package keyfactor
 
 import (

client.go

@@ -1,3 +1,12 @@
+/*
+ *  Copyright 2024 Keyfactor
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
 package keyfactor
 
 import (

cmd/keyfactor/main.go

@@ -1,3 +1,12 @@
+/* 
+ *  Copyright 2024 Keyfactor
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
 package main
 
 import (

fields.go

@@ -1,3 +1,12 @@
+/*
+ *  Copyright 2024 Keyfactor
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
 package keyfactor
 
 import "github.com/hashicorp/vault/sdk/framework"

path_ca.go

@@ -1,3 +1,12 @@
+/*
+ *  Copyright 2024 Keyfactor
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
 package keyfactor
 
 import (

path_certs.go

@@ -1,3 +1,12 @@
+/*
+ *  Copyright 2024 Keyfactor
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
 package keyfactor
 
 import (
@@ -8,6 +17,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"strconv"
 	"strings"
 	"time"
 
@@ -126,6 +136,7 @@ func (b *keyfactorBackend) pathFetchCert(ctx context.Context, req *logical.Reque
 	// this is basically handled by setting contentType or not.
 	// Errors don't cause an immediate exit, because the raw
 	// paths still need to return raw output.
+
 	b.Logger().Debug("fetching cert, path = " + req.Path)
 
 	serial = data.Get("serial").(string)
@@ -331,7 +342,6 @@ func (b *keyfactorBackend) pathIssueSignCert(ctx context.Context, req *logical.R
 
 	// check the allowed domains for a match.
 	for _, v := range role.AllowedDomains {
-		b.Logger().Warn(v)
 		if strings.HasSuffix(cn.(string), v) { // if it has the suffix..
 			hasSuffix = true
 			if cn.(string) == v || role.AllowSubdomains { // and there is an exact match, or subdomains are allowed..
@@ -351,10 +361,38 @@ func (b *keyfactorBackend) pathIssueSignCert(ctx context.Context, req *logical.R
 		return nil, err_resp
 	}
 
+	// check the provided DNS sans against allowed domains
+	var cnMatch = false
+	b.Logger().Trace("checking dns sans" + dns_sans[0] + ", ...")
 	for u := range dns_sans {
-		if !strings.Contains(dns_sans[u], role.AllowedBaseDomain) || strings.Contains(dns_sans[u], role.AllowedBaseDomain) && !role.AllowSubdomains {
-			return nil, fmt.Errorf("Subject Alternative Name " + dns_sans[u] + " not allowed for provided role")
+		valid = false
+		hasSuffix = false
+		cnMatch = cnMatch || dns_sans[u] == cn.(string) // check to make sure at least one of the dns_sans match the cn
+		b.Logger().Trace("checking SANs")
+		for _, v := range role.AllowedDomains {
+			if strings.HasSuffix(dns_sans[u], v) { // if it has the suffix..
+				hasSuffix = true
+				if dns_sans[u] == v || role.AllowSubdomains { // and there is an exact match, or subdomains are allowed..
+					valid = true // then it is valid
+				}
+			}
+		}
+		if !valid {
+			err_resp = fmt.Errorf("Subject Alternative Name " + dns_sans[u] + " not allowed for provided role")
 		}
+		if !valid && hasSuffix {
+			err_resp = fmt.Errorf("sub-domains not allowed for role")
+		}
+	}
+
+	b.Logger().Trace("cnMatch = " + strconv.FormatBool(cnMatch))
+
+	if !cnMatch {
+		err_resp = fmt.Errorf("at least one DNS SAN is required to match the supplied Common Name for RFC 2818 compliance")
+	}
+
+	if err_resp != nil {
+		return nil, err_resp
 	}
 
 	//generate and submit CSR
@@ -381,9 +419,6 @@ func (b *keyfactorBackend) pathIssueSignCert(ctx context.Context, req *logical.R
 }
 
 func (b *keyfactorBackend) pathRevokeCert(ctx context.Context, req *logical.Request, data *framework.FieldData) (*logical.Response, error) {
-	//path := data.Get("path").(string)
-	//b.Logger().Debug("path = " + path)
-
 	serial := data.Get("serial").(string)
 	b.Logger().Debug("serial = " + serial)
 
@@ -451,8 +486,8 @@ func revokeCert(ctx context.Context, b *keyfactorBackend, req *logical.Request,
 		"Comment": "%s",
 		"EffectiveDate": "%s"},
 		"CollectionId": 0
-	  }`, keyfactorId, "via HashiCorp Vault", time.Now().UTC().String())
-	//b.Logger().Debug("Sending revocation request.  payload =  " + payload)
+	  }`, keyfactorId, "via HashiCorp Vault", time.Now().Format(time.RFC3339))
+	b.Logger().Debug("Sending revocation request.  payload =  " + payload)
 	httpReq, _ := http.NewRequest("POST", url, strings.NewReader(payload))
 
 	httpReq.Header.Add("x-keyfactor-requested-with", "APIClient")
@@ -464,10 +499,13 @@ func revokeCert(ctx context.Context, b *keyfactorBackend, req *logical.Request,
 		b.Logger().Error("Revoke failed: {{err}}", err)
 		return nil, err
 	}
-	if res.StatusCode != 204 {
-		r, _ := io.ReadAll(res.Body)
+	r, _ := io.ReadAll(res.Body)
+
+	b.Logger().Debug("response received.  Status code " + fmt.Sprint(res.StatusCode) + " response body: \n " + string(r[:]))
+	if res.StatusCode != 204 && res.StatusCode != 200 {
+		// r, _ := io.ReadAll(res.Body)
 		b.Logger().Info("revocation failed: server returned" + fmt.Sprint(res.StatusCode))
-		b.Logger().Info("error response = " + fmt.Sprint(r))
+		b.Logger().Info("error response = " + string(r[:]))
 		return nil, fmt.Errorf("revocation failed: server returned  %s\n ", res.Status)
 	}
 
@@ -514,8 +552,8 @@ func revokeCert(ctx context.Context, b *keyfactorBackend, req *logical.Request,
 			}
 			return logical.ErrorResponse(fmt.Sprintf("certificate with serial %s not found", serial)), nil
 		}
-		b.Logger().Info("certEntry key = " + certEntry.Key)
-		b.Logger().Info("certEntry value = " + string(certEntry.Value))
+		b.Logger().Debug("certEntry key = " + certEntry.Key)
+		b.Logger().Debug("certEntry value = " + string(certEntry.Value))
 
 		currTime := time.Now()
 		revInfo.CertificateBytes = certEntry.Value
@@ -531,7 +569,6 @@ func revokeCert(ctx context.Context, b *keyfactorBackend, req *logical.Request,
 		if err != nil {
 			return nil, fmt.Errorf("error saving revoked certificate to new location")
 		}
-
 	}
 
 	resp := &logical.Response{
@@ -540,7 +577,7 @@ func revokeCert(ctx context.Context, b *keyfactorBackend, req *logical.Request,
 		},
 	}
 	if !revInfo.RevocationTimeUTC.IsZero() {
-		resp.Data["revocation_time_rfc3339"] = revInfo.RevocationTimeUTC.Format(time.RFC3339Nano)
+		resp.Data["revocation_time_rfc3339"] = revInfo.RevocationTimeUTC.Format(time.RFC3339)
 	}
 	return resp, nil
 }

path_config.go

@@ -1,8 +1,16 @@
+/*
+ *  Copyright 2024 Keyfactor
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
 package keyfactor
 
 import (
 	"context"
-	"errors"
 	"fmt"
 
 	"github.com/hashicorp/vault/sdk/framework"
@@ -153,18 +161,12 @@ func (b *keyfactorBackend) pathConfigWrite(ctx context.Context, req *logical.Req
 		return nil, err
 	}
 
+	createOperation := false // always update.  not necessary to require all fields added simultaneously
+
 	if existingConfig == nil {
 		existingConfig = newConfig
 	}
 
-	createOperation := (req.Operation == logical.CreateOperation)
-
-	if newConfig == nil {
-		if !createOperation {
-			return nil, errors.New("config not found during update operation")
-		}
-	}
-
 	if username, ok := data.GetOk("username"); ok {
 		existingConfig.Username = username.(string)
 	} else if !ok && createOperation {

path_revoke.go

@@ -1,3 +1,12 @@
+/*
+ *  Copyright 2024 Keyfactor
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
 package keyfactor
 
 // import (

path_roles.go

@@ -1,3 +1,12 @@
+/*
+ *  Copyright 2024 Keyfactor
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *  Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions
+ *  and limitations under the License.
+ */
+
 package keyfactor
 
 import (